[
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13847971#comment-13847971
]
Richard J. Barbalace commented on SHIRO-445:
--------------------------------------------
The new patch addresses the issue described here:
shiro-user.582556.n2.nabble.com/Best-practice-for-managing-different-shiro-ini-files-for-different-environment-td7579099.html
I have been using this patch for a couple months now in production. (For the
submission, I had to change the logging in IniFactory.java to match that used
in Shiro, but that is all.) The two packages included in this patch allow the
inclusion of data from a separate INI file (or other data source) aside from
shiro.ini. The details and use cases are described in the package-info.java
files. The org.apache.shiro.config.external package can be used to allow
configuration settings to be read into shiro.ini from a separate config.ini
file (which is useful for server configurations when you want to check
shiro.ini into version control, but have per-server customizations) and the
org.apache.shiro.config.password package allows for the encryption of such
plain text configuration.
This patch should be able to be incorporated into the Shiro project with
minimal change. (As noted in a previous comment, some @override statements
might be dropped depending on the Java version used.) Also, see the TODO note
around lines 144-150 of IniFactory.java.
> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
> Key: SHIRO-445
> URL: https://issues.apache.org/jira/browse/SHIRO-445
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Specification API
> Affects Versions: 1.2.2
> Environment: Any.
> Reporter: Richard J. Barbalace
> Fix For: 1.2.3
>
> Attachments: mypatch.txt, mypatch2.txt
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for
> accessing databases or other data sources, as described in this Shiro user
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in
> other INI or properties files, JNDI resources, databases, key stores, key
> servers, or other data sources. Passwords might be encrypted using a master
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be
> stored (plaintext or encrypted with a master key) in other INI files, similar
> to a shadow password file. This can be further extended to use other data
> sources as needs arise.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
